Facebook, spammers are in 'arms race'

These spam posts were spreading on Facebook this weekend despite new security features designed to prevent such attacks.
Satnam Narang

Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company's antispam defenses.

The spammers have modified their handiwork so it will get past Facebook's scam detection system, company spokesman Fred Wolens told CNET today.

"There are new methods they've picked up after we put out the protections on Thursday," he said. "It's an arms race. We put out new protections and they come up with new campaigns...When we announced the new security features, they were calibrated for all the self-XSS attacks we'd seen at the time."

The company began turning on a feature last week that displays warnings when it detects that users are about to be duped by cross-site scripting (XSS) and clickjacking attacks. In such attacks, people are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).

Yet there were several XSS attacks this weekend and today and warnings were not displayed. In one of them, users were tempted with a post that said "Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!" (On a side note, Wolens artfully dodged the question of whether Facebook would ever add a "dislike" button.)

Another attack falsely offered a way to see how many people viewed you on Facebook as an indication of how popular you are and urged people to click the "Scan Profile" link. The links lead to an external site where eventually the user is prompted to cut and paste Javascript code into the browser address bar, said Satnam Narang, a threat analyst at M86. (Facebook does not offer a way to see such statistics on profiles.)

A third attack tempted people with a comment of "WTF!! You look so stupid in this video" or something similar. A Flash file is loaded when the link is clicked and people were encouraged to press the CTRL and V keys and malicious JavaScript would be pasted from the clipboard into the browser address bar, according to this Zscaler blog post.

In all the cases the user action results in the spam messages being re-posted to the victim's Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers get money for each survey completed and the farther the spam spreads the more money that can be made.

Facebook did not disclose exactly what is going on behind the scenes, which could be used to help spammers in their efforts. Narang said he suspected that some of the spam was getting past Facebook's defenses by obfuscating the Javascript. Facebook seems to have made it harder for spammers to create campaigns that automatically execute and spam your friends, so that victims are sent off to external sites and required to cut and paste text into their browsers, he said.

Another spam campaign on Facebook was offering users a way to see how many people had viewed their profile.
Satnam Narang

But "the hole is still there because they are still able to generate these posts," by tricking users into clicking links and following further instructions, he added.

Facebook is learning and improving the situation with each new spam campaign and iteration of its defenses, Wolens said.

"Within a few hours of this video (spam campaign) we were able to put that information back into the system to protect people," he said.